It is with significant personal regret that I share with you the news that uKnow had a private database repeatedly breached by a hacker using two different IP addresses on February 16, 2016 and February 17, 2016.
The hacker claims to be a "white-hat" hacker a "security researcher" or "white hat hacker" or "ethical hacker" which means he tries to obtain unauthorized access into private systems for the benefit of the "public good". Although we do not approve of his methods because it unnecessarily puts customer data and intellectual property at risk, we appreciate his proactive, quick notification as it was helpful to our team.
We have been locking down on the facts over the last few days with a forensics analysis of ALL uKnow systems, and we plan to disclose ALL of the relevant facts to our customers, the media, and the appropriate legal authorities as soon as we are confident that our facts are 100% accurate.
Here is what we know right now…
We know that there were two IP addresses that obtained unauthorized access to a uKnow database repeatedly over the course of 26 hours on February 16 and February 17, 2016.
The vulnerable database included proprietary intellectual property including customer data, business data, trade secrets, and proprietary algorithms developed to power some of uKnow's most important technology.
With respect to customer data, no financial information or unencrypted password credentials were vulnerable. However, names, communications, and URL data was exposed for about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
uKnow's technology team patched the database vulnerability within 90 minutes of discovery.
The first IP address that obtained unauthorized access to uKnow's private database was 184.108.40.206. We believe this IP address is associated with Mr. Christopher Vickery in Austin, Texas, but we don't have confirmation of that fact yet.
Mr. Vickery claims to work at a prominent law firm by day and exploit vulnerable technology systems at night. We do not have any additional background information on Mr. Vickery, but we are doing our best to fully identify Mr. Vickery in order to validate his stated "benign" intentions.
The second IP address (220.127.116.11) that accesed uKnow's private database in an unauthorized manner is reportedly associated with Mr. Vickery's full-time employer in Austin, Texas. Again, we don't yet have confirmation on who owns this IP address or the IP address owner's official connection with Mr. Vickery, but this is the early information we have been able to determine so far.
This second IP address (18.104.22.168) first accessed uKnow's private database at 9:05am CT on Tue Feb 16, 2016, and then at least another 9 times ending on 11:08am CT on Wed Feb 17, 2016.
Mr. Vickery downloaded uKnow's database starting at 3:45am CT on Wed Feb 17, 2016) and ending at 3:55am CT on Wed Feb 17, 2016.
Twelve minutes after the final breach from IP address 22.214.171.124 and after taking screenshots of our intellectual property, business data, and customer data, Mr. Vickery notified uKnow of his breach of our private systems.
Again, uKnow's technology team patched the database vulnerability within 90 minutes of discovery, and has been working around the clock 24/7 over the last few days to ensure that we know exactly what happened as well as to mitigate any other vulnerabilities. We have also hired two external, third-party firms to also test our systems for vulnerabilities. To date, no additional vulnerabilities have been discovered, but this will be an ongoing process.
In addition, we are aware of two additional IP addresses that discovered the vulnerable database, but both IP address are associated with credible organizations and neither of the IP addresses explored the database in question.
Scope of the Vulnerability...
ANY data breach affecting even a single subscriber is a very, very serious issue, and so we do not want to minimize the issue in any manner.
What we do know right now is that the alleged data breach affected about 0.5% of the kids that uKnowKids has helped parents protect online and on the mobile phone.
The database also included uKnow's proprietary natural language processing engine technology and data including our proprietary algorithms that power uKnow's technology.
We have repeatedly requested that Mr. Vickery permanently delete any and all copies of uKnow's intellectual property including iits proprietary customer data, business data, database schemas and field names, trade secrets, curated data dictionaries and algorithms.
After initial resistance, Mr. Vickery claims to have deleted the downloaded database in its entirety. However, he has reportedly retained an uknown number of screenshot copies of uKnow's intellectual property, and is so far unwilling to permanently delete this information. In an effort to protect our customers and stakeholders, we contine to request the destruction of any and all copies of uKnow's database including screenshots which are, in fact, copies of uKnow's database.
Again, we immediately patched the discovered vulnerability.
We immediately initiated an exhaustive forensics analysis of all uKnow systems to determine the potential scope of the vulnerability, to identify any other vulnerabilities, and to identify parties who obtained unauthorized access to our systems.
We have reconfigured all encryption keys and data schemas to dramatically mitigate any previously breached data.
We have hired two external, third-party security firms to proactively attempt to breach our systems on an ongoing and continuous fashion, so that we can proactively identify any future vulnerabilities as quickly as possible in the future.
We are updating our existing internal security policy and frameworks, so that there is zero ambiguity with respect to the daily, weekly and monthly security procedures that our organization will execute on to continue our best efforts to protect our customers' data and our corporate assets.
We started purchasing Norton Safe Shopping Guarantees for every new uKnowKids customer, so that they can be further protected by Norton's extensive third party shopping protections including identity theft protections.
We have contacted the Federal Trade Commission for guidance and to report the breach. uKnow goes to great effort and expense to fully comply with the FTC's COPPA regulations, and we believe we are in full compliance at this time.
uKnow's demand for Mr. Vickery to delete ALL copies of uKnow's database was obviously driven by our desire to protect our uKnowKids customers, but also to fully comply with COPPA requirements that we do not knowingly allow any third parties access to child data without first having affirmative, verifiable permission from parents. Mr. Vickery obviously did not and does not have authorization to explore, copy, or control this private child data (or uKnow's intellectual property), and we expect him to comply with our requests immediately.
We are also alerting the necessary legal authorities as the discovered facts dictate over the coming days.
We have alerted our customers as to the data breach, and we are sharing information with them as quickly as we possibly can.
Finally, we are sharing this public statement for the benefit of interested parties such as the media.
We will do our best to keep you informed of what we learn over the course of the coming days, and we will do so here on our blog as this is a widely-read, authoritative source of information in the Internet Safety and Security world, and it is also a scalable method of providing as much transparency as we can responsibly provide.
If you are a uKnowKids customer, please contact us at firstname.lastname@example.org with ANY questions. We will do our best to provide you with all of the facts as we know it.
If you are an interested legal authority, please contact us at email@example.com, and we will share all important, relevant information with you as well.
If you are a member of the media, please feel free to contact us at firstname.lastname@example.org, and we will be happy to share appropriate levels of information with you time permitting. You will obviously be a lower priority than our customers and the authorities, but you can count on us to share the relevant facts on this blog as they are discovered.
uKnowKids was originally created after one of our family children was victimized by an online predator, and so protecting kids is very, very personal to us. It is our life's mission as parents!
uKnowKids was built by parents hoping to help other parents protect their kids with the same knowledge and tools that we have created to protect our own families.
If there is one lesson that has been reinforced for us with this hacker's data breach, it is this... There are bad actors out there on the Internet and in our digital world that seek to exploit the vulnerabilities of our kids, our families, and our organizations for their own personal benefit.
uKnowKids has helped parents protect hundreds of thousands of children across the globe in more tha 50 countries, and we will continue to pour every ounce of our energy and focus into helping moms and dads keep their kids safe in our new digital world.
You have my personal commitment that our uKnow team will continue to do everything we can to help you keep your kids safe from bad guys and bullies online and on the mobile phone!
CEO, uKnow and uKnowKids
uKnowKids data breach update #2 - uKnowKids, February 25, 2016
uKnowKids defends response to data breach alert - BBC News, February 25, 2016